b'                 Fiscal Year 2006 Evaluation of Information Security\n\n                          at the Railroad Retirement Board \n\n                        Report No. 06-11, September 27, 2006 \n\n\n                                    INTRODUCTION \n\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) evaluation of\ninformation security at the Railroad Retirement Board (RRB).\n\nBackground\n\nThe RRB administers the retirement/survivor and unemployment/sickness insurance\nbenefit programs for railroad workers and their families under the Railroad Retirement\nAct (RRA) and the Railroad Unemployment Insurance Act (RUIA). These programs\nprovide income protection during old age and in the event of disability, death, temporary\nunemployment or sickness. The RRB paid over $9.2 billion in benefits during fiscal year\n(FY) 2005.\n\nThe RRB\xe2\x80\x99s information system environment consists of six major application systems\nand two general support systems, each of which has been designated as moderate\nimpact systems in accordance with standards and guidance promulgated by the\nNational Institute of Standards and Technology (NIST). The major application systems\ncorrespond to the RRB\xe2\x80\x99s critical operational activities, including RRA benefit payments,\nRUIA benefit payments, maintenance of railroad employee compensation and service\nrecords, administration of Medicare entitlement, financial management, and the RRB\xe2\x80\x99s\nfinancial interchange with the Social Security Administration. The two general support\nsystems comprise the mainframe computer and the end-user computing systems.\n\nThis evaluation was conducted pursuant to the E-Government Act of 2002 (P.L.\n107-347), Title III, the Federal Information Security Management Act of 2002 (FISMA)\nwhich requires annual agency program reviews, Inspector General security evaluations,\nand annual agency report to the Office of Management and Budget (OMB), and an\nannual OMB report to Congress. FISMA also establishes minimum requirements for the\nmanagement of information security in the following nine areas:\n\n   1.   Risk Assessment\n   2.   Policies and Procedures\n   3.   Testing and Evaluation\n   4.   Training\n   5.   Security Plans\n   6.   Remedial Action Process\n   7.   Incident Handling and Reporting\n   8.   Continuity of Operations\n   9.   Inventory of Systems\n\x0cInformation security means protecting information and information systems from\nunauthorized access, use, disclosure, disruption, modification or destruction in order to\nprovide integrity, confidentiality, and availability. FISMA requires agencies to report any\nsignificant deficiency in policy, procedure, or practice as a material weakness in\nreporting under the Federal Managers\xe2\x80\x99 Financial Integrity Act.1\n\nThe OIG previously evaluated information security at the RRB during FYs 2000 through\n2005, and reported weaknesses throughout the RRB\xe2\x80\x99s information security program.2\nThe OIG also cited the agency with significant deficiencies in access controls in the\nmainframe and end-user computing environments, training provided to staff with\nsignificant security responsibilities, and delays in meeting FISMA requirements for both\nrisk assessments and periodic testing and evaluation.\n\nObjective, Scope and Methodology\n\nThis evaluation was performed to meet FISMA requirements for an annual OIG\nevaluation of information security that includes:\n\n      1. testing of the effectiveness of information security, policies, procedures, and\n         practices of a representative subset of the agency\xe2\x80\x99s information systems; and\n\n      2. an assessment of compliance with FISMA requirements and related information\n         security policies, procedures, standards, and guidelines.\n\nTo meet the first requirement, the OIG audited the incident handling and reporting\nprogram at the RRB and evaluated the RRB\xe2\x80\x99s disaster recovery plan. We also started\nan audit of the application controls of the Daily Activity Input System/Checkwriting\nIntegrated Computer Operation component application of the RRA benefit payment\nmajor application, which is nearing completion. These reviews were conducted in FY\n2006.\n\nTo meet the second requirement, we considered the results of prior audits and\nevaluations of information security during FYs 2000 through 2005, including the status\nof related recommendations for corrective action. We also obtained and reviewed\ndocumentation supporting the RRB\xe2\x80\x99s performance in meeting FISMA requirements and\ninterviewed responsible agency management and staff.\n\nThe primary criteria for this evaluation were:\n\n      \xe2\x80\xa2   FISMA requirements;\n\n1\n    A significant deficiency is a weakness in an agency\xe2\x80\x99s overall information systems security program or\n    management control structure, or within one or more information systems, that significantly restricts the\n    capability of the agency to carry out its mission or compromises the security of its information,\n    information systems, personnel, or other resources, operations, or assets.\n2\n    OIG audit reports are maintained on the RRB website at http://www.rrb.gov/oig/library.asp.\n\x0c   \xe2\x80\xa2   OMB Circular A-130, \xe2\x80\x9cManagement of Federal Information Resources\xe2\x80\x9d; and\n   \xe2\x80\xa2   NIST standards and guidance.\n\nOur work was performed in accordance with generally accepted government auditing\nstandards as applicable to the objective. Fieldwork was conducted at RRB\nheadquarters in Chicago, Illinois from May through September 2006.\n\n                              RESULTS OF EVALUATION \n\n\nThe RRB continues to experience difficulty in achieving an effective, FISMA compliant\nsecurity program. During FY 2006, the agency completed corrective action to eliminate\nthe previously reported significant deficiency in training. Previously identified significant\ndeficiencies in access controls, risk assessments, and periodic testing and evaluation\ncontinue to exist, as well as other observed weaknesses in the agency\xe2\x80\x99s implementation\nof requirements for risk based policies and procedures, a remedial action process,\ncontinuity of operations, and inventory of systems.\n\nThe agency is addressing their significant deficiencies in the previously reported areas\nof access controls, risk assessments, and periodic testing and evaluation. However,\nmuch work remains to be completed.\n\nThe agency is also in the process of forming an agency-wide Security and Privacy\nCommittee. The committee is expected to include employee representatives from each\nmajor application and general support system. They will be responsible for providing\ndirection, issuing guidance, compiling certifications, and providing specific oversight for\nagency-wide implementation of FISMA requirements including risk assessments, annual\nevaluations, and testing of controls including certification and accreditation. The RRB\xe2\x80\x99s\nthree-member Board has not yet formally approved this committee.\n\nThe details of our assessment of agency progress in complying with FISMA\nrequirements and a summary of the weaknesses identified during our FY 2006 tests of\nthe effectiveness of information security, policies, procedures, and practices, follow.\nAgency management provided no formal comments for publication with this report.\n\nRisk Assessment\n\nThe RRB has not yet implemented an effective risk assessment process that complies\nwith Federal information processing standards and documents critical agency\ndeterminations concerning risk. Risk management drives a FISMA mandated security\nprogram and NIST compliant certification and accreditation process.\n\nFISMA requires periodic assessments of the risk and magnitude of harm that could\nresult from the unauthorized access, use, disclosure, disruption, modification, or\ndestruction of information or information systems. Risk assessment is the first step in\nthe risk management process. Organizations use risk assessment to determine the\n\x0cextent of the potential threat to information and information systems, and to ensure that\nthe greatest risks have been identified and addressed.\n\nThe OIG has previously recommended that the agency ensure complete formal risk\nassessments are prepared in accordance with NIST guidance.3 The RRB has begun\nthe process of developing a risk assessment process. In FY 2006, the Bureau of\nInformation Services (BIS) drafted a formal risk assessment methodology which is\nexpected to be further developed and implemented by the Security and Privacy\nCommittee. Our review of the initial draft of the risk assessment methodology shows\nthat it incorporates NIST standards and guidance on risk management, minimum\nsecurity requirements, and certification and accreditation. The draft also incorporates\nexisting RRB policies concerning risk analysis.\n\nAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\nPolicies and Procedures\n\nThe RRB\xe2\x80\x99s policies and procedures continue to need improvement to ensure that they\nare comprehensive and effective in all areas of the agency\xe2\x80\x99s information security\nprogram.\n\nFISMA requires that agencies include risk-based policies and procedures that cost-\neffectively reduce information security risks to an acceptable level and ensure that\ninformation security is addressed throughout the life cycle of each information system in\ntheir information security programs. FISMA also requires each agency to have policies\nand procedures that ensure compliance with minimally acceptable system configuration\nrequirements, as determined by the agency.\n\nThe OIG has previously recommended that the RRB develop an agency-wide security\nconfiguration policy for server operating systems, and policy and procedures for the\nreview of contractor operations in accordance with NIST guidance.4\n\nAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\nTesting and Evaluation\n\nThe RRB\xe2\x80\x99s efforts to implement a consistent, FISMA compliant testing and evaluation\nprocess are not complete. Although the agency has begun planning for such a process,\nmuch work remains to be done.\n\nFISMA requires periodic testing and evaluation of the effectiveness of information\nsecurity policies, procedures, and practices, performed with a frequency depending on\n\n3\n    OIG Report No. 05-08, Recommendation 4.\n4\n    OIG Report No. 05-11, Recommendations 1 and 2.\n\x0crisk, but no less than annually. The periodic tests and evaluation must include testing of\nmanagement, operational, and technical controls for every system identified in the\nagency\xe2\x80\x99s inventory of systems. NIST Special Publication (SP) 800-53A, \xe2\x80\x9cGuide for\nAssessing the Security Controls in Federal Information Systems,\xe2\x80\x9d provides procedures\nfor assessing the effectiveness of security controls employed in Federal information\nsystems and directly supports the security certification and accreditation process.\n\nThe OIG previously reported that prior RRB tests did not meet FISMA requirements\nbecause they did not include all major application systems and were not comprehensive\nwith respect to all three categories of controls: management, operational and technical.\nIn addition, the agency had not consistently performed tests of contractor operations.\n\nThe OIG previously recommended that management act to ensure that periodic\nindependent evaluations of system security for major applications be performed, and to\nensure the quality of security self-assessments.5\n\nIn FY 2006, BIS incorporated a subset of the NIST SP-800-53A procedures as a test\nplan for common controls which are not specific to any one major application or general\nsupport system. Testing of these controls is the responsibility of the BIS Risk\nManagement Group. The common controls address the development of policies and\nprocedures, continuity planning, incident response, physical environment security, and\npersonnel security. Testing has begun. The remaining NIST SP-800-53A procedures\nwill become the responsibility of the Security and Privacy Committee, and a test plan\nwill be designed to specifically address each individual major application or general\nsupport system.\n\nTraining\n\nThe RRB has met the FISMA requirement for information security training. During FY\n2006, the RRB implemented a role-based security training curriculum and has provided\na substantial portion of the current year\xe2\x80\x99s training plan to employees with significant\nsecurity responsibilities. In addition, the agency continued its existing program for\nproviding general security awareness training to employees and contractors.\n\nFISMA requires agencies to provide security awareness training to inform personnel,\nincluding contractors and other users of information systems that support the operations\nand assets of the agency, of information security risks associated with their activities as\nwell as their responsibilities in complying with agency policies and procedures designed\nto reduce these risks. In addition to security awareness training, agencies are required\nto provide appropriate training on information security to personnel with significant\nsecurity responsibilities.\n\nThe OIG cited the RRB with a significant deficiency in training during FY 2001 because\nindividuals with decision-making responsibilities for information system security did not\n\n5\n    OIG Report No. 02-04, Recommendation 3.\n    OIG Report No. 03-02, Recommendations 1, 2, 3, and 4.\n\x0chave adequate formal training in the theory, principles, and practice of information\nsecurity. During FY 2006, we observed that the RRB had ensured all employees with\nsignificant security responsibilities completed a substantial portion of the current year\xe2\x80\x99s\ntraining plan. As a result, the OIG no longer considers training to be a significant\ndeficiency.\n\nPrior OIG recommendations for corrective action will remain open, until the agency has\nprovided the balance of training planned under the new role-based security training\ncurriculum. The OIG has no additional recommendations to offer at this time.\n\nSecurity Plans\n\nFISMA requires that agencies maintain subordinate plans for providing adequate\ninformation security for networks, facilities, and systems or groups of information\nsystems. The RRB has developed and maintains such plans.\n\nRemedial Action Process\n\nThe RRB continues to experience difficulty in implementing a remedial action process\nthat is sufficient to meet FISMA and OMB requirements. In FY 2005, we reported that\nthe existing POAM was not comprehensive with respect to identified weaknesses, was\nnot driven by internal risk assessments and control evaluations, and did not\ndemonstrate prioritization of agency plans and efforts to correct the weaknesses found.\nCurrent-year action has not been sufficient to correct these deficiencies.\n\nFISMA requires Federal agencies to maintain a process for planning, implementing,\nevaluating, and documenting remedial action to address any deficiencies in the\ninformation security policies, procedures, and practices of the agency. OMB requires\nagencies to develop a formal Plan of Action and Milestones (POAM) to identify\nvulnerabilities in information security and track the progress of corrective action. Each\nyear, OMB requires the Inspectors General to assess the agency\xe2\x80\x99s POAM as part of the\nFISMA reporting process.\n\nThe OIG previously recommended that the RRB review and revise its remedial action\nprocess.6 In FY 2006, the BIS began to track weaknesses and related\nrecommendations for corrective action using an automated project management tool.\nHowever, this initiative has not been fully effective. At the time of our review, the\nautomated system was being used to track only those recommendations that the OIG\nhad previously identified as most significant to achieving an effective, FISMA compliant\nsecurity program. The automated system includes data for 33 recommendations for\nwhich corrective action is pending, which represents only 46% of all outstanding OIG\nrecommendations for improved information security. Additionally, BIS has not begun to\nuse the new system to track weaknesses identified through agency reviews performed\ninternally or by their contractor consultants.\n\n\n6\n    OIG Report No. 05-11, Recommendation 3.\n\x0cAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\nIncident Handling and Reporting\n\nThe RRB\xe2\x80\x99s incident handling and reporting program is generally effective in ensuring the\nconfidentiality, integrity and availability of the agency\xe2\x80\x99s information and information\ntechnology.\n\nFISMA mandates that Federal agencies develop, document and implement procedures\nfor detecting, reporting, and responding to security incidents as part of its agency-wide\ninformation security program.\n\nThe OIG performed a detailed review of the RRB\xe2\x80\x99s incident handling and reporting\nprogram during FY 2006.7 Although we identified some areas of program management\nthat could be improved, we found that the agency\xe2\x80\x99s overall efforts were sufficient to\nmeet the requirements established by FISMA.\n\nThe RRB has agreed with the OIG recommendations for corrective action presented in\nthat report, and has begun to address these deficiencies. The OIG has no additional\nrecommendations to offer at this time.\n\nContinuity of Operations\n\nThe agency\xe2\x80\x99s disaster recovery plan provides assurance that major information\ntechnology functions would be operational in the event of a disaster. However, the plan\ndoes not provide reasonable assurance that the agency will be able to recover from a\nmajor disaster and perform its critical business functions in a timely manner.\n\nFISMA requires Federal agencies to implement plans and procedures to ensure\ncontinuity of operations for information systems that support the operations and assets\nof the agency.\n\nThe OIG performed an evaluation of the RRB\xe2\x80\x99s disaster recovery plan during FY 2006.8\nWe found that the RRB limits disaster recovery tests to the recovery phase of the plan\nand, as a result, does not have adequate assurance that procedures are maintained in\na constant state of readiness. Additionally, the RRB has not completed corrective\naction to implement prior OIG recommendations that the agency update its overall\ndisaster recovery plan and ensure that all decisions related to the disaster recovery\ncontract be formally documented.9\n\n\n\n7\n  OIG Report No. 06-09. \n\n8\n  OIG Report No. 06-08. \n\n9\n  OIG Report No. 02-04, Recommendation 6. \n\n  OIG Report No. 02-12, Recommendation 3.\n\x0cThe RRB has agreed with the OIG recommendations for corrective action presented in\nOIG Report No. 06-08, and has begun to address these deficiencies. The OIG has no\nadditional recommendations to offer at this time.\n\nInventory of Systems\n\nThe agency has not yet completed compilation of a reliable inventory of its systems. In\nFY 2006, BIS started the process of compiling a single, comprehensive inventory of\napplication systems that is intended to address the needs of all organizational units.\n\nFISMA established a requirement that each agency develop, maintain, and annually\nupdate an inventory of major information systems operated by the agency or that are\nunder its control. This inventory is to include an identification of the interfaces between\neach system and all other systems or networks, including those not operated by or\nunder the control of the agency.\n\nIn FY 2005, we reported that the RRB had not compiled a reliable inventory that\nidentifies component applications operating in the end-user computing general support\nsystem, the related server locations or the security administrators. We also reported\nthat the RRB\xe2\x80\x99s system inventories are maintained by several different organizational\nunits whose efforts are not coordinated or consistent. Accordingly, the OIG has\nrecommended that the agency take action to improve its systems inventory.10\n\nIn FY 2006, we reviewed agency efforts to date and noted that the BIS inventory\ncontinues to omit some systems identified by other organizational units. Additionally,\nthe inventory does not show the same information system platform indicators\n(mainframe vs. end-user computing) for all systems. We shared these discrepancies\nwith BIS in accordance with OMB\xe2\x80\x99s FY 2006 FISMA reporting requirements.\n\nAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\n\n\n\n10\n     OIG Report No. 05-08, Recommendations 1, 2, and 3.\n\x0c'